Cisco Systems 78-16019-02 Configuring TACACS+, Configuring Traffic Filters and Firewalls, Configuring Passwords and Privileges

3-11

Cisco ONS 15530 Configuration Guide and Command Reference

78-16019-02, Cisco IOS Release 12.2(18)SV2

Chapter3 Initial Configuration Configuring Security Features

Configuring TACACS+

To configure your router to support TACACS+, perform the following tasks:

Step 1 Usethe aaa new-model global configuration command to enable AAA. AAA must be configured if you

plan to use TACACS+. Refer to the“AAA Overview” chapter in the Cisco IOS Security Configuration

Guide.

Step 2 Usethe tacacs-server host command to specify the IP address of one or more TACACS+daemons. Use

the tacacs-server key command to specify an encryption key that is used to encrypt all exchanges

between the network access server and the TACACS+ daemon. This same key must also be configured

on the TACACS+ daemon.

Step 3 Usethe aaa authentication global configuration command to define method lists that use TACACS+for

authentication. Refer to the “Configuring Authentication” chapter in the Cisco IOS Security

Configuration Guide.

Step 4 Useline and interface commands to apply the defined method lists to various interfaces. Refer to the

“Configuring Authentication” chapter in the Cisco IOS Security Configuration Guide.

Step 5 Ifneeded, use the aaa authorization global command to configure authorization for the network access

server. Unlike authentication, which can be configured per line or per interface, authorization is

configured globally for the entire network access server. Refer to the “Configuring Authorization”

chapter in the Cisco IOS Security Configuration Guide.

Step 6 Ifneeded, use the aaa accounting command to enable accounting for TACACS+ connections. Refer to

the “Configuring Accounting” chapter in the Cisco IOS Security Configuration Guide.

Refer to the “Configuring TACACS+” chapter in the Cisco IOS Security Configuration Guide.

Configuring Traffic Filters and Firewalls

The Cisco ONS 15530 supports the traffic filter and firewall features provided by Cisco IOS.

Traffic filters provide basic traffic filtering capabilities with access control lists (also referred to as

access lists). Access lists can be configuredfor all routed network protocols (IP, AppleTalk, and so on)

to filter the packets of those protocols as the packets pass through a system. You can configure access

lists on your Cisco ONS 15530 to control access to a network, preventing certain traffic from entering

or exiting a network.

Firewalls are networking devices that control access to your organization's network assets. You can

position firewalls to control access at the entrance points into your network. or to control access to a

specific part of your network

Refer to the “Traffic Filtering and Firewalls”part in the Cisco IOS Security Configuration Guide.

Configuring Passwords and Privileges

Using passwords and assigning privilege levelsis a simple way of providing terminal access control in

your network. Youcan configure up to 16 different privilege levels and assign each levelto a password.

For each privilege levelyou define a subset of Cisco IOS commands that can be executed. You can use

these different levelsto allow some users the ability to execute all Cisco IOS commands, and to restrict

other users to a defined subset of commands.